Field Detail

sighashFlags

public final int sighashFlags

A byte that controls which parts of a transaction are signed. This is exposed because signatures
parsed off the wire may have sighash flags that aren't "normal" serializations of the enum values.
Because Bitcoin Core works via bit testing, we must not lose the exact value when round-tripping
otherwise we'll fail to verify signature hashes.

Method Detail

dummy

Returns a dummy invalid signature whose R/S values are set such that they will take up the same number of
encoded bytes as a real signature. This can be useful when you want to fill out a transaction to be of the
right size (e.g. for fee calculations) but don't have the requisite signing key yet and will fill out the
real signature later.

calcSigHashValue

Calculates the byte used in the protocol to represent the combination of mode and anyoneCanPay.

isEncodingCanonical

public static boolean isEncodingCanonical(byte[] signature)

Returns true if the given signature is has canonical encoding, and will thus be accepted as standard by
Bitcoin Core. DER and the SIGHASH encoding allow for quite some flexibility in how the same structures
are encoded, and this can open up novel attacks in which a man in the middle takes a transaction and then
changes its signature such that the transaction hash is different but it's still valid. This can confuse wallets
and generally violates people's mental model of how Bitcoin should work, thus, non-canonical signatures are now
not relayed by default.

anyoneCanPay

public boolean anyoneCanPay()

sigHashMode

encodeToBitcoin

public byte[] encodeToBitcoin()

What we get back from the signer are the two components of a signature, r and s. To get a flat byte stream
of the type used by Bitcoin we have to encode them using DER encoding, which is just a way to pack the two
components into a structure, and then we append a byte to the end for the sighash flags.

toCanonicalised

Will automatically adjust the S component to be less than or equal to half the curve order, if necessary.
This is required because for every signature (r,s) the signature (r, -s (mod N)) is a valid signature of
the same message. However, we dislike the ability to modify the bits of a Bitcoin transaction after it's
been signed, as that violates various assumed invariants. Thus in future only one of those forms will be
considered legal and the other will be banned.